Blocking xmlrpc.php attack on WordPress website

Xmlrpc.php is a common attack target on WordPress installations. Here’s how to block it.

So you discover that your sites are running slow on a web server and after investigating you find that the file xmlrpc.php is being hit repeatedly on one of your websites.

What is xmlrpc.php used for?

Xmlrpc.php is the WordPress implementation of XML-RPC.

Without going into masses of detail it allows external applications to perform tasks on your WordPress site. Actions it allows include publishing a post,  editing or deleting a post, listing and editing comments.

So why would you ever want to allow this? Well say for example that you have a mobile app that you use for posting to your blog. It might well be using xmlrpc.php to do this.

Should I disable or block xmlrpc.php?

Do you post remotely? Do you manage posts or comments remotely using a 3rd party app or program? Do you even know what I’m talking about?

If the answer is No, then you will probably be safe blocking access to xmlrpc.php.

If in doubt, you could try blocking xmlrpc.php and see if there’s anything you can no longer do.

How to block xmlrpc.php attack

The simplest way to block xmlrpc.php attacks is to completely block internet access to that file.

Edit your .htaccess file in the root directory of your website to block access to xmlrpc.php.

If you do not have FTP access at the time you can use a plugin to edit the .htaccess file. I have used one called “WP Htaccess Editor” in the past and it worked fine.

Just make sure to backup your .htaccess file before editing it (there’s an option for this in the plugin). Messing up your .htaccess file can leave your website completely inaccessible.

Add the following lines to your .htaccess file and save it. The change will take effect immediately.

<Files "xmlrpc.php">
Order Allow,Deny
deny from all

Check your apache logs and you will no longer see hits on your xmlrpc.php file.

The logs should also give you the IP address that was blocked from accessing xmlrpc.php so you can add this IP address to your firewall blacklist.

One Comment:

  1. Hi,
    You forgot to mention that this solution also blocks Jetpack to communicate with your site which is critical for some modules. I’ve faced the issue several times and finally I found a plugin that allows to completely block XML-RPC without blocking Jetpack. Check wpbruiser


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.